Banks and funds under constant cyber threat

If JPMorgan Chase can get hacked, as it did in 2013 when cyber attackers got access to details on more than 83 million customers, any financial institution is at risk. Nine other banks got hit, according to United States officials, allegedly by the same group of cyber criminals.

Companies get hacked every day; hackers are testing firewalls and online security all the time at companies around the world. Most successful attacks don’t make the news in the way that the recent cyber attack on Sony did, or the theft of millions of credit card numbers from Target in 2013. Many companies may not even know if hackers are in their system. And once a company figures it out, odds are it’s too late.

Locally, companies are aware and pursuing ways to deter or prevent hacking.

“There’s always a lot of activity at the firewall level,” said Neil Stone-Wigg, head of IT with DMS Offshore Investment Services. “There are always people looking for an easy target.”

In the U.S., the Securities and Exchange Commission is increasingly pressuring hedge fund managers to do better with cybersecurity. Institutional Investor reported last month that the SEC examined the security at more than 50 registered investment advisers and broker-dealers. SEC examiners are now setting up interviews with hedge fund managers, reportedly giving only a couple days’ notice, to ask about how secure their networks are against hacker attacks, according to Institutional Investor.

Cayman’s corporate leaders, like their counterparts around the globe, are under threats from cyber attacks every day. Hacking has become big business, and financial institutions are popular targets for the obvious reasons. That’s where Cayman is likely to stand out, given the islands’ concentration of banks and hedge funds and reputation for offshore finance.

Stone-Wigg works with companies around the world for hedge fund governance and other services. With a global presence, like many firms in Cayman, come broader challenges:

“Hedge funds rely on a supply chain of service providers who operate with a steady stream of important and confidential fund information. Sophisticated cyber criminals can easily identify weak links in this information chain and exploit them,” Stone-Wigg says in an October article in Institutional Investor co-written with DMS founder Don Seymour.

Companies get hacked for a lot of reasons: stealing money, embarrassment, revenge, sabotage, corporate espionage. Organized criminal networks and big state actors have been getting in on the act for some time too.

The United States and Israel were implicated in the sophisticated cyber attack credited with taking down centrifuges involved in Iran’s nuclear program. The U.S. has accused the Chinese military in numerous attacks, from stealing weapon designs from military contractors to hacking major news organizations like the New York Times and Wall Street Journal. The FBI has implicated North Korea in the recent Sony hack, and the film company’s movie “The Interview” has been pulled from theaters because of threats from the hackers. The movie is about two journalists who were hired to assassinate the North Korean dictator.

Earlier this month, Michael Bazzell, a cyber crime expert with the FBI, told a crowd of insurance company representative at a conference in Cayman that many hacker attacks against big companies now come from hacker groups linked to organized crime groups in eastern Europe, Russia and other jurisdictions where they know they won’t be prosecuted. “They have zero concern they’ll get caught,” he said.

Vulnerabilities not always digital

In an interview, Stone-Wigg said his company takes a three-pronged approach to securing their networks: defense, monitoring and user education. Defense is what people tend to think of when they think cyber security with firewalls, routers and software controlling access to different parts of the network.

Monitoring, Stone-Wigg explained, involves watching Internet traffic into and especially out of the network. If their software detects someone doing something unusual, like sending a bunch of data off site or downloading a large amount of files to a USB drive, it will flag that user so the IT department can investigate.

Kate Bohner, chief communications, research and marketing officer for DMS, said she has been on the receiving end of one of these red flags. Her marketing team was moving offices and an employee downloaded a lot of data to a USB drive. That got flagged by IT and they got in touch with her – the concern is that a disgruntled employee could steal data to sell to a competitor or try to embarrass the company. Turns out, the employee just wanted to move the data, but it looks the same to the security software.

User education, teaching employees to be careful with what they download or links they click on, is just as important as a firewall, Stone-Wigg said.

“Your employee is the weakest link,” the Bazzell said last month. “They can spend weeks getting into a firewall or spend five minutes emailing your employees.”

Most attacks today, according to Mr. Bazzell, come as emails targeting employees in hopes they will download an attachment or click on a link. These are not the emails from a long-lost cousin in Nigeria promising a fortune, but will appear to come from a co-worker or supervisor. It could come from what appears to be human resources or the CEO, asking employees to fill out a form or check out an article. Once the employee clicks on the link or opens a document, the computer could be automatically infected.

Once hackers get a user to open a PowerPoint presentation or PDF document, they could install software to start logging each and every key stroke on the computer. Once hackers get in, they can start making their way to where sensitive data like financial information or trade secrets are held.

Taron Jackman, a partner with Deloitte in Cayman who focuses on computer security, said recently in an interview that physical security is just as important. His company will do what’s called “vulnerability testing” in which they try to break into computer systems for clients.

Jackman said one of his colleagues would always ask a receptionist for a glass of water if he found himself in an empty waiting room with no security cameras. As soon as the receptionist steps away, a hacker could plug a USB drive into the receptionist’s computer and install malicious software.

Stone-Wigg said DMS has a consultant test the company’s network every six months by trying to hack in with known vulnerabilities.

Breaking the barrier

Micho Schumann, a computer security expert with KPMG, said that once hackers get past that initial wall, normally through tricking an employee, “that’s where we find most of the vulnerabilities.” Corporate computer networks will have a strong firewall between the internal network and the rest of the Internet, but once hackers pass that first barrier, it can be easy for them to make their way through the rest of the network to get access to whatever they might be looking for.

In DMS’s training program, Stone-Wigg said, he is “not trying to beat any employees but merely trying to say ‘use your brain.’”

“In your day-to-day job you’re being asked to review documents, click on links,” he said, but employees just need to be aware that anything they click on or download could become an in for hackers.

Security is a balance

To completely lock down a computer system, a company would have to be disconnected from the Internet. That’s just not feasible for doing business in the 21st century. Employees need to be able to share documents, collaborate on presentations and, of course, send each other humorous cat pictures.

KPMG’s Schumann said, “You’ve got a business to run. There has to be a balance.” But on the other end, he said, “Companies don’t want to end up on the front page of the newspaper.”

In his experience, Mr. Schumann said, a culture of online security “needs to come from the top” – big corporations should have a chief of Internet security operations, they need to invest in security software and hardware, train employees, make security a priority for IT departments, and set a tone of cyber security for the organization.

Stone-Wigg, who works with many companies in his role with DMS, said, “Top executives are a main sponsor in identifying that this can happen to us.”

A key point, he said, is that “to address cyber security correctly, you need to have the resources.”

Schumann said security falls to already overworked IT staffs and often “gets put on the back burner” amid the daily work of keeping large computer networks up and running smoothly. He suggests setting a policy where IT staff dedicates a quarter of their time to security issues.

Bazzell, with the FBI, told the crowd of insurance company representatives in Cayman last month, “If anyone tells you you’re unhackable, fire them today.”

Wayne Green, an IT security manager with Deloitte, said, “It’s not a matter of if you’re going to be hacked, but how you’re going to respond.”